Hi. On Mon, Aug 26, 2019 at 09:34:36AM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > In xfs_ialloc_setup_geometry, it's possible for a malicious/corrupt fs > image to set an unreasonably large value for sb_inopblog which will > cause ialloc_blks to be zero. If sb_imax_pct is also set, this results > in a division by zero error in the second do_div call. Therefore, force > maxicount to zero if ialloc_blks is zero. > > Note that the kernel metadata verifiers will catch the garbage inopblog > value and abort the fs mount long before it tries to set up the inode > geometry; this is needed to avoid a crash in xfs_db while setting up the > xfs_mount structure. > > Found by fuzzing sb_inopblog to 122 in xfs/350. The patch looks good, but maybe a comment is worth so we don't need to check the git log to understand why we need to check ialloc_blks here? > > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > --- > fs/xfs/libxfs/xfs_ialloc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c > index 1a14067aa4d4..5e95648c346c 100644 > --- a/fs/xfs/libxfs/xfs_ialloc.c > +++ b/fs/xfs/libxfs/xfs_ialloc.c > @@ -2811,7 +2811,7 @@ xfs_ialloc_setup_geometry( > inodes); Something like: /* * Set the maximum inode count for this filesystem, being careful * ialloc_blks is not zeroed due a corrupted sb_agblklog */ if (sbp->sb_imax_pct) { if (sbp->sb_imax_pct && igeo->ialloc_blks) { > /* > * Make sure the maximum inode count is a multiple > * of the units we allocate inodes in. The comment is just a suggestion anyway, you can add to the patch: Reviewed-by: Carlos Maiolino <cmaiolino@xxxxxxxxxx> -- Carlos